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Chapter  I 
Introduction  and  Background 


Introduction 


In  response  to  legislative  concern  regarding  expanding  compu- 
terization in  state  government  and  to  the  information  needs  of 
various  auditors  in  relation  to  the  audits  completed  by  the 
Office  of  the  Legislative  Auditor,  we  conducted  a  survey  of  the 
state's  computer  resources.   The  purpose  of  the  survey  was  to 
develop  a  general  overview  of  the  state's  computer  resources. 


Background 


The  last  30  years  have  seen  dramatic  changes  in  computing  and 
data  communications  technology.   The  computer  has  evolved  as 
a  necessary  tool,  increasing  in  power  each  decade.   The  pocket 
calculator  of  today  is  more  powerful  than  the  largest  computers 
of  30  years  ago.   Data  communications  networks  now  link  the 
mainframe  or  minicomputer  with  remote  terminals  around  the 
state. 


In  fiscal  year  1991,  the  state  of  Montana  spent  at  least 
$21.8  million  on  its  computer  resources,  including  computer 
hardware  and  software  applications  (excluding  personal  service 
expenditures).   During  this  time,  individual  state  agencies  spent 
between  .02  percent  and  15.52  percent  of  their  total  expendi- 
tures on  data  processing.   These  computer  resources  are  a  vital 
part  of  the  state's  assets.   We  estimate  the  state's  investment  in 
computer  hardware  resources  alone  exceeds  $35  million.   These 
systems  process  financial  and  management  information  and 
provide  information  on  which  all  levels  of  government  and  the 
private  sector  rely  for  decision  making. 

Currently,  there  is  no  centralized  collection  of  information 
regarding  the  various  state  computer  systems  and  applications. 
Neither  the  Department  of  Administration  nor  the  Board  of 
Regents  collect  this  data. 
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Scope  of  Survey 


This  survey  was  conducted  pursuant  to  section  5-13-304,  MCA, 
which  authorizes  the  Legislative  Auditor  to  review  all  depart- 
ments, institutions,  and  agencies  of  state  government.   The 
purpose  of  this  report  is  to  present  the  results  of  our  survey 
regarding  electronic  data  processing  (EDP)  in  the  state  of 
Montana.   This  report  is  designed  to  provide  information  and  is 
not  intended  to  be  an  audit  of  electronic  data  processing  in 
Montana  state  government.   The  survey  was  limited  in  scope  and 
conducted  according  to  selected  government  auditing  standards. 
Data  for  the  survey  was  collected  between  March  1991  and 
September  1991. 


The  objectives  of  our  survey  were  to: 

1.  Compile  a  list  of  computer  equipment  used  by  the  legisla- 
tive, judicial  and  executive  branch  agencies,  and  the  higher 
education  institutions. 

2.  Identify  the  major  or  "high  risk"  software  applications  used 
by  legislative,  judicial  and  executive  branch  agencies,  and 
the  higher  education  units. 

3.  Identify  the  vulnerabilities  to  EDP  risks  for  these  major 
software  applications. 

This  effort  represents  the  first  comprehensive  statewide  analysis 
of  Montana's  data  processing  systems.   We  sent  the  survey  to  all 
state  agencies  and  units  of  higher  education.   We  received 
complete  responses  from  the  majority  of  the  state  agencies  and 
higher  education  units.   Three  agencies  provided  limited  or  no 
response  to  the  survey  and  are  therefore  not  included  in  the 
survey  results  as  reported  in  this  document.   These  include  the 
Department  of  Military  Affairs,  the  Commissioner  of  Higher 
Education,  and  the  Great  Falls  Vocational-Technical  Center. 


Organization  of  Report 


In  presenting  the  survey  results  we  have  organized  the  report 
into  four  chapters.   Chapter  I  contains  the  introduction  and 
background  information  with  the  purpose  and  objectives  of  the 
survey.   Chapter  II  discusses  the  various  types  of  computer 
hardware  resources  used  by  the  state  agencies  and  higher 
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education  units.   It  also  presents  the  survey  results  for  the 
number  of  computers  in  use  in  state  government. 

Chapter  III  contains  information  about  management  of  the 
state's  computer  resources.   Because  of  the  state's  significant 
investment,  it  should  manage,  control,  and  protect  these  vital 
resources.   Currently,  the  Department  of  Administration  and  the 
Board  of  Regents  provide  statutory  oversight. 

Finally,  we  performed  a  limited  electronic  data  processing  risk 
analysis  for  major  software  applications  identified  by  the  legis- 
lative, judicial  and  executive  agencies  and  the  higher  education 
units.  Information  on  the  results  of  our  limited  risk  analysis  is 
disclosed  in  Chapter  IV. 
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Introduction 


The  state  of  Montana  uses  a  variety  of  computer  resources 
which  support  its  operations  and  services  to  citizens.   The  state's 
computers  range  from  mainframe  to  microcomputer.   The  three 
types  of  computers  used  in  state  government  include: 

Mainframe  Large  capacity  computer  capable  of  running 

a  variety  of  system  software  with  sizeable 
storage  and  output  capabilities. 

Minicomputer  Smaller  version  of  the  mainframe  with  a 

smaller  storage  capacity  dedicated  to  a 
limited  number  of  applications. 

Microcomputer         Desk-sized  processor  used  for  a  limited  set 
of  functions.   Less  storage  capacity  than  the 
minicomputer. 

In  addition,  the  state  has  migrated  toward  the  use  of  local  area 
networks  (LANs),  which  significantly  expand  the  capacity  of 
the  minicomputer  and  microcomputer  in  the  agencies. 

We  surveyed  state  agencies  and  the  university  units  to  identify 
the  type  of  computer  hardware  (the  actual  physical  equipment) 
in  use  and  the  number  of  computers  in  use  in  state  government. 


Oyeryiew  of  the  State's 
Computer  Hardware 
Resources 


The  survey  respondents  use  a  combination  of  mainframe,  mini- 
computer and  microcomputer  systems  to  meet  their  data/  infor- 
mation processing  needs.   Most  state  agencies  reported  using  the 
IBM  mainframe  at  the  Information  Processing  Facility  main- 
tained by  the  Information  Services  Division,  as  their  main  data 
processing  computer.   Some  agencies  and  higher  education  units 
(such  as  the  Department  of  Justice  and  the  University  of 
Montana)  operate  their  own  large  mainframe  computers.   In 
addition,  many  agencies  and  units  have  smaller,  in- house 
computer  systems  (referred  to  as  minicomputers).   All  state 
organizations  use  microcomputers,  also  known  as  personal 
computers. 
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The  state's  computer  environment  is  dynamic.   It  changes  con- 
tinually, due  in  part  to  the  increasing  use  of  microcomputers. 
As  a  result,  it  is  difficult  to  obtain  a  complete  and  accurate 
inventory  of  computer  hardware  in  use.   We  used  the  informa- 
tion obtained  from  the  survey  respondents  and  the  Department 
of  Administration  network  inventory  system  to  identify  the  type 
and  number  of  computers  in  use  by  state  organizations.   The 
state  had  over  4,500  mainframes,  minicomputers,  and  micro- 
computers in  use  at  July  1991. 

In  our  March  1988  report  on  Microcomputer  Controls  (87P-36) 
we  reported  there  were  approximately  1,345  microcomputers  in 
use  in  state  agencies  in  1987  and  another  1,700  in  the  university 
system  (including  those  used  for  educational  purposes).   Our 
current  survey  does  not  include  computers  used  solely  for 
instruction  or  educational  purposes  (i.e.,  microcomputers  used  in 
the  classroom).   The  following  charts  show  the  breakdown  of 
these  systems  by  vendor  and  type. 


HARDUARE  SYSTEMS  I M  USE  BY  STATE  AGENCIES 
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Office  of  the  Legislative  Auditor's  analysis  of  EDP  risk 
questionnaire  responses,  July  1991. 
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HAROUABE  SYSTEMS  IM  USE  BY  HIGHER  EDOCATIOW  UNITS 


MICROCOMPUTERS 


IBM 
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APPLE 
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HEWLETT/ 

PACKARD 

46 

DIGITAL 
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ZENITH 

397 

OTHER 

_!9 

TOTAL 

978 

MINICOMPUTERS 

IBM 

DIGITAL 
HEWLETT/ 
PACKARD 


22 


MAINFRAMES 

DIGITAL      7 


Source:    Office  of  the  Legislative  Auditor's  analysis  of  EDP  risk 
questionnaire  responses,  July  1991. 

As  detailed  in  the  following  graphs,  the  state  uses  primarily  IBM 
microcomputers.   In  the  mainframe  and  minicomputer  environ- 
ment, the  state  agencies  and  university  units  use  primarily  IBM 
or  Digital  (DEC)  computers. 


Figure  1 

Microcomxjters 
Used  by  State  Agencies/University  Units 


Source:  Office  of  the  Legislative  Auditor's  analysis  of  EDP 
risk  questionnaire  responses,  July  1991. 
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Figure  2 

Hainfrawe  and  Mini  Cowputers 
Used  by  State  AgenciesAJniversity  Units 


y^rOimre  vendors 
J  State  Aganciee  l^^^si  Hjgn»r   Educat 


Source:  Office  of  the  Legislative  Auditor's  analysis  of  EDP 
risk  questionnaire  responses,   July  1991. 


Hardware  Expenditures 


According  to  information  reported  on  the  Statewide  Budgeting 
and  Accounting  System  and  disclosed  in  the  following  table,  the 
state  spent  $8.9  million  on  computer  equipment  during  the  two 
fiscal  years  1989-90  and  1990-91.   In  addition,  the  state  spent 
$15.1  million  and  $17.7  million  for  computer-related  operating 
expenses  during  fiscal  years  1989-90  and  1990-91.   This  does 
not  include  the  personal  service  costs  associated  with  data 
processing  personnel. 
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Table  1 

Coacxjter  Ooerating 

and  Eguicnent  Expenses 

Agency 

Totals  for  Fisca 

I  Years  1989 

-90  and  1990-91 

Operat 

ing  Expenses 

Equipment  Expenses 

Total 

Agency 

Leg.  Auditor 

FY90 
40,521 

FY91 
35,774 

FY90 
16,043 

FY91 
23,596 

FY90 

FY91 

56,564 

59,370 

Leg.  Fiscal  Anal. 

22,016 

49,123 

22,016 

49,123 

Leg.  Council 

207,365 

269,641 

117,481 

100,191 

324,846 

369,832 

Other  Legis.  Agen. 

1,511 

39,385 

11,413 

113,560 

8,675 

152,945 

Judicial  Branch 

178,069 

193,629 

83,393 

28,241 

261,461 

221,869 

Governor's  Office 

39,668 

60,869 

19,731 

14,519 

59,399 

75,388 

Sec.  of  State 

166,266 

159,051 

9,038 

12,834 

175,304 

171,885 

Pol.  Practices 

264 

293 

1,303 

242 

1,567 

535 

State  Auditor 

632,432 

443,212 

59,878 

2,150 

692,309 

445,362 

OPI 

35,692 

42,384 

278,692 

178,999 

314,384 

221,384 

Billings  Vo-Tech 

4,297 

5,223 

19,846 

34,481 

24,143 

39,704 

Butte  Vo-Tech 

2,161 

5,159 

60,626 

6,056 

62,787 

11,215 

Grt.  Falls  Vo-Tech 

2,444 

5,513 

2,444 

5,513 

Helena  Vo-Tech 

3,446 

3,747 

565 

4,011 

3,747 

Missoula  Vo-Tech 

87,899 

86,184 

11,706 

12,748 

99,605 

98,933 

Justice 

811,203 

892,857 

239,173 

170,833 

1,050,376 

1,063,690 

Public  Serv.  Reg. 

18,061 

20,209 

28,765 

8,785 

46,826 

28,994 

Board  of  Pub.  Ed. 

1,024 

709 

1,000 

1,024 

1,709 

Com.  Higher  Ed. 

16,727 

36,752 

57,619 

74,241 

74,346 

110,973 

U  of  M 

1,639,275 

1,706,594 

621,070 

701,987 

2,260,345 

2,408,580 

MSU 

1,872,411 

1,824,546 

1,872,411 

1,824,546 

MT  Tech 

361,070 

461,712 

195,395 

167,055 

556,465 

628,767 

Eastern 

734,649 

774,702 

193,515 

317,866 

928,164 

1,092,568 

Northern 

323.700 

263,780 

69,620 

21,175 

393,320 

284,955 

Western 

31,928 

35,289 

329,904 

114,180 

361,833 

149,469 

Deaf  &  Blind 

2,118 

1,245 

2,118 

1,245 

Arts  Council 

745 

803 

745 

803 

State  Library 

11,908 

5,687 

71,019 

95,620 

82,927 

101,307 

Council  on  Vo-Ed. 

467 

365 

467 

365 

Historical  Soc. 

5,944 

5,886 

44,682 

11,483 

50,626 

17,368 

Fire  Serv.  Trng. 

885 

935 

885 

935 

FWP 

244,992 

289,994 

154,070 

131,490 

399,062 

421,485 

Health 

178,349 

173,663 

73,976 

243,509 

252,325 

417,172 

Transportation 

502,467 

491,567 

256,323 

258,928 

758,790 

750,495 

State  Lands 

200,281 

194,728 

167,215 

112,788 

367,496 

307,516 

Livestock 

46,476 

74,176 

37,504 

$6,141 

83,981 

80,317 

DNRC 

134,198 

143,044 

129,238 

76,095 

263,436 

219,140 

Revenue 

1,085,848 

1,238,542 

96,284 

175,464 

1,182,132 

1,414,006 

Administration 

387,480 

436,680 

362,042 

95,181 

749,523 

531,860 

State  Fund 

276,800 

580,498 

65,297 

3,416 

342,097 

583,914 

PERO 

181,475 

143,970 

(9,479) 

2,599 

171,997 

146,569 

TRD 

103,308 

75,541 

143 

103,451 

75,541 

Agriculture 

13,075 

14,839 

34,892 

25,199 

47,967 

40,038 

Corrections 

25,739 

48,649 

79,283 

120,329 

105,022 

168,978 

Comnerce 

2,509,240 

3,668,238 

71,122 

103,432 

2,580,362 

3,771,670 

Labor  &  Ind. 

1,033,960 

670,745 

385,482 

129,845 

1,419,442 

800,590 

Military  Aff. 

5,947 

7,062 

8,097 

8,389 

14,044 

15,451 

SRS 

811,283 

1,894,637 

373,813 

395,906 

1,185,096 

2,290,543 

Fami ly  Serv. 

94.273 

98.590 

11,255 

2,017 

105.528 

100,607 

TOTAL 

Source:    Stateuidi 

$15,091,359 

$17,676,402 

$4,837,034 

$4,102,570 

$19,928,393 

$21,778,972 

>  Budgeting  and  Accounting  Systea. 
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Network  Growth  At  the  end  of  fiscal  year  1991  the  Information  Services  Division 

(ISD)  conducted  a  survey  of  information  on  networking  plans 
for  all  agencies.   These  plans  include  existing  microcomputers 
and  anticipated  purchases  of  microcomputer  hardware.   Accord- 
ing to  this  survey,  agencies  will  add  approximately  900  micro- 
computers to  local  area  networks  in  fiscal  year  1992.   They  will 
add  another  500  during  fiscal  year  1993.   In  addition  to  this, 
agencies  will  be  adding  about  200  other  workstations,  connected 
to  minicomputer  or  mainframe  computer  networks,  during  the 
next  two  years. 
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Introduction 


The  management  of  data  processing  resources  varies  between 
state  agencies  and  the  university  units.   Some  agencies  have 
established  data  processing  groups  within  the  organization,  while 
other  agencies  rely  on  assistance  from  the  Department  of 
Administration  (department).   The  department  provides  over- 
sight of  state  electronic  data  processing  functions.   Two  other 
state  government  groups  are  involved  in  agency  data  processing: 
the  Data  Processing  Advisory  Council  and  the  Data  Processing 
Managers  Group. 


Department  of  Adminis- 
tration 


The  Department  of  Administration  provides  oversight  of  the 
data  processing  function  in  state  government,  with  some  excep- 
tions.  The  department's  responsibilities  include: 

1.  establish  policies  and  a  statewide  plan  for  the  operation  and 
development  of  data  processing  for  state  government; 

2.  review  and  approve  agency  specifications  and  procure- 
ment methods  for  the  acquisition  of  data  processing  equip- 
ment to  insure  network  compatibility  and  conformity  with 
the  statewide  data  processing  plan; 

3.  review  and  approve  all  contracts  for  private  sector  data 
processing  services  to  insure  conformance  with  the  state- 
wide data  processing  plan;  and 

4.  operate  and  maintain  a  central  computer  center  and  a  data 
processing  equipment  pool  for  the  use  of  all  state  agencies 
and  political  subdivisions. 

The  department's  responsibilities  as  listed  above  do  not  extend 
to  the  Office  of  the  Superintendent  of  Public  Instruction  (OPI) 
unless  a  proposed  activity  affects  the  operation  of  the  central 
computer  center  or  the  equipment  pool.   OPI  maintains  a  data 
processing  function  which  provides  oversight  to  the  state's 
school  districts.   The  function  works  with  the  department  in  an 
effort  to  maintain  compatibility  with  other  state  agencies  as 
appropriate. 
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The  department's  authority  for  review  and  approval  of  the 
acquisition  of  data  processing  equipment  does  not  extend  to  the 
University  System.   Currently  each  unit  of  higher  education 
conducts  its  own  evaluation  and  acquisition  of  data  processing 
equipment.   The  Board  of  Regents  has  not  established  a  central 
purchasing  function  but  does  require  the  units  to  maintain 
compatibility  with  other  units  and  the  state's  central  mainframe. 

The  department  is  also  responsible  for  providing  centralized 
management  and  coordination  of  state  policies  for  security  of 
data  and  information  technology  resources.   This  management 
and  coordination  includes: 

1.  establishing  minimum  security  standards,  including 
physical  security  and  backup; 

2.  establishing  standards  and  policies  for  electronic  data 
exchange; 

3.  providing  training  regarding  security  of  data  and  informa- 
tion technology  resources;  and 

4.  providing  technical  and  managerial  assistance  relating  to 
the  security  program. 

The  department  implements  its  responsibilities  through  the 
Information  Services  Division  (ISD).   ISD  has  developed  guide- 
lines in  the  form  of  the  Montana  Operations  Manual  (MOM). 
The  MOM  provides  agencies  with  guidelines  for  computer  hard- 
ware and  software  acquisition  and  use  and  information  tech- 
nology resource  security.   The  ISD  guidelines  require  new 
purchases  of  computer  hardware  meet  certain  minimum 
standards.   These  guidelines  require  connectivity  between 
systems. 

The  division  employs  several  data  processing  professionals 
(authorized  120  FTE)  who  operate  and  maintain  the  state's 
mainframe,  the  data  processing  equipment  pool,  training  facili- 
ties and  the  state's  telecommunications  network.    In  addition, 
the  division  provides  data  processing  support  through  training 
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seminars,  on-site  assistance  to  agencies,  and  software  develop- 
ment. 


Data  Processing  Managers 
Group 


The  Data  Processing  Managers  Group  was  informally  established 
in  1978.   Data  processing  management  personnel  from  various 
state  agencies  make  up  the  group.   The  group  was  organized  to 
review  and  make  recommendations  on  data  processing  issues 
affecting  state  government  data  processing  activities.   The  group 
participates  in  the  statewide  data  processing  planning  effort  by 
interacting  with  agency  data  processing  programs  and  with  the 
Information  Services  Division  on  issues  affecting  the  data 
processing  community  (i.e.,  the  state's  networking  plan  was 
discussed  with  the  Data  Processing  Managers  Group).   The 
group  adopted  a  charter  which  requires  bimonthly  meetings. 


Data  Processing  Advisory 
Council 


The  Data  Processing  Advisory  Council  was  created  in  1979  by 
section  2-17-502,  MCA.   Its  members  are  selected  by  the  direc- 
tor of  the  Department  of  Administration  from  a  diverse  group 
in  order  to  adequately  represent  the  interests  of  state  agencies, 
including  the  university  system.    Its  purpose  is  to  assist  the 
department  in  the  assertion  of  its  authority  in  the  data 
processing  area  under  section  2-17-501,  MCA,  and  work  with 
the  department  on  strategic  information  systems  issues  which 
face  all  state  agencies.   The  goals  of  the  council  are  to  educate 
agencies  on  the  appropriate  use  of  computers  and  make  recom- 
mendations on  the: 

1.  establishment  of  a  planning  process  and  development  of 
biennial  plans  that  provide  management  direction  to  the 
information  processing  effort; 

2.  establishment  of  policies  to  assure  efficient  utilization  of 
information  processing  resources; 

3.  strategies  to  manage  information  resources  more  effect- 
ively; and 

4.  coordination  of  the  rapid  expansion  of  office  automation 
throughout  state  government. 
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The  council  is  composed  of  22  members,  mostly  agency  direc- 
tors.  The  last  meeting  of  the  Data  Processing  Advisory  Council 
was  held  in  January  1990.   The  council  did  not  meet  during 
fiscal  year  1991,  but  anticipates  a  meeting  in  December  1991. 
The  council  has  not  played  an  active  role  in  the  oversight  or 
management  of  the  state's  data  processing. 
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Introduction 


As  discussed  in  the  preceding  chapter,  the  Department  of 
Administration  provides  oversight  for  the  acquisition  and  use  of 
hardware  resources.   In  this  chapter  we  discuss  the  state's  soft- 
ware resources  which  are  primarily  the  responsibility  of  the 
agency. 

One  of  the  survey  objectives  was  to  identify  the  major  or  "high 
risk"  software  applications  used  in  state  government.   In  addition 
our  survey  identified  the  vulnerabilities  of  these  major  applica- 
tions to  EDP  risks.   EDP  risk  analysis  evaluates  an  organization's 
electronic  information  resources,  its  existing  controls  over  these 
resources,  the  environment  in  which  they  operate  and  computer 
system  vulnerabilities.   The  information  results  of  this  EDP  risk 
analysis  can  be  used  by  management  and  auditors  to  identify 
areas  for  future  review. 


Risks  Associated  With 
Electronic  Data 
Processing 


An  EDP  risk  is  the  potential  loss  to  an  organization  that  results 
from  misuse  or  failure  of  its  computer.   This  may  involve 
unauthorized  disclosure,  change  and/or  loss  of  information 
resources.   In  addition,  loss  may  result  from  the  authorized  but 
incorrect  use  of  a  computer. 

Risks,  which  are  always  present  in  a  computer  environment,  are 
generated  by  a  variety  of  threats.   Some  of  these  threats  are: 

physical  such  as  fire,  water  damage,  earthquake,  etc. 

people  oriented  such  as  errors,  deliberate  acts  of  violence, 
fraud,  etc. 

These  risks  cannot  be  eliminated,  but  controls  can  reduce  an 
organization's  risks.   If  controls  are  inadequate,  a  vulnerability 
exists  which  may  lead  to  loss.   The  risks  unique  to  a  data 
processing  environment  also  include: 

1.  developing  systems  that  do  not  meet  user  needs; 

2.  designing  systems  that  are  too  costly; 
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3.  producing  systems  with  insufficient  or  missing  controls; 
and 

4.  implementing  systems  in  an  environment  in  which  software 
errors,  hardware  problems,  and  rapid  organizational  change 
can  cause  costly  delays. 

Data  processing  controls  are  needed  to  ensure  the  accurate, 
timely,  and  complete  processing  of  data.   Users  must  be  able  to 
rely  on  the  output  of  the  computer  application.   Regardless  of 
the  size  or  nature  of  a  computer  system  or  software  application, 
the  following  major  control  objectives  must  be  met: 

1.  confidentiality  of  personal,  private,  or  otherwise  sensitive 
data  handled  by  the  system; 

2.  integrity  and  accuracy  of  data  and  the  processes  that  handle 
the  data;  and 

3.  availability  of  systems  and  the  data  or  services  they 
support. 


Risk  Analysis  EDP  risk  analysis  involves  an  evaluation  of  an  organization's 

information  resources,  its  existing  controls  and  the  environment 
in  which  they  operate  and  computer  system  vulnerabilities. 
Risk  assessment  is  a  management  tool  to  measure  an  applica- 
tion's vulnerabilities.   An  EDP  risk  analysis  can  result  in  a 
systematic  way  for  management  to  plan,  control,  and  operate 
computer  systems.   In  addition,  an  EDP  risk  analysis  provides 
the  ground  work  for  an  EDP  audit  of  an  organization's  data 
processing  environment  or  its  software  applications. 

Based  on  standard  methodologies  developed  by  other  organiza- 
tions and  states,  we  designed  our  survey  questionnaire  to 
provide  comparable  information  about  EDP  resources  statewide. 
We  requested  the  respondents  to  the  questionnaire  to  identify 
their  major  software  applications,  including  those  operating  on 
microcomputers.    Each  respondent  was  asked  to  rate  each  appli- 
cation on  23  risk  factors  for  the  following  seven  major  cate- 
gories: 
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Importance  of  the  application  -  A  poorly  developed  or 
controlled  application  that  is  critical  to  an  organization's 
mission  could  endanger  the  organization's  basic  effec- 
tiveness. 

Access  to  information  and  data  -  These  risks  are  associated 
with  unauthorized  or  unintentional  access  to  an  agency's 
information. 

Technological  complexity  -  The  more  complex  the  tech- 
nology, the  greater  the  risk.   The  more  organizations  rely 
on  their  computerized  applications,  the  higher  the  risks 
associated  with  that  technology. 

System  environment  and  stability  -  Active  management 
involvement,  enforced  standards,  skilled  personnel,  and 
controls  can  reduce  risks. 

Reliability  and  integrity  -  This  set  of  factors  shows  risks 
associated  with  system  failure  and  generation  of  wrong 
data.   Decentralized  operations  and  extensive  use  of  micro- 
computers make  systems  vulnerable  to  potential  threats. 

System  characteristics  -  Poor  system  characteristics  often 
result  in  hard-to-maintain  programs,  inaccurate  or  incom- 
plete processing,  poor  system  performance,  and  inadequate 
audit  trails. 

System  review  -  Applications  that  have  not  been  reviewed 
for  many  years  or  have  changed  a  lot  since  the  most  recent 
review  may  be  at  greater  risk  than  those  reviewed  fre- 
quently. 

We  assigned  numeric  risk  values  to  each  factor  and  importance 
weights  to  each  risk  factor.   We  calculated  a  total  risk  score  for 
each  application  using  the  agency-assigned  rating  and  all  indi- 
vidual risk  factor  scores.   Scores  on  this  rating  can  range  from  a 
low  of  92  to  a  maximum  of  276. 

Overall,  we  found  the  most  common  risk  factor  identified  for 
state  applications  was  the  frequency  of  review  of  the  applica- 
tion.  Of  417  applications  identified  by  the  respondents,  66 
percent  have  not  been  reviewed  for  several  years  or  there  have 
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been  significant  changes  to  the  application  since  its  last  review. 
Major  risk  factors  identified  are  reflected  in  the  following  table. 


Table   2 

Host  Common  High-Risk  Items 
For  417  Identified  Applications 

1.  Recency  of  Audit  of  the  Applications: 

66X  Of  the  applications  have  not  been  reviewed  for  many 
years,  or  there  have  been  significant  changes  to  the 
applications  since  their  last  review. 

2.  Criticality  of  the  Applications  to  the  Organization: 

65X  Of  the  applications  were  identified  as  critical  to  the 
organization's  operations  or  the  controlling  of  the 
organization's  funds. 

63X  of  the  applications  identified  contain  much  critical 
data. 

3.  Types  of  Hardware: 

44X    of  the  applications  are  processed  on  a  microcomputer. 

4.  Accessibility  to  the  Data  in  the  Applications: 

35X  Of  the  applications  contain  data  which  is  extremely 
valuable  (disclosure  would  have  a  serious  impact  on  the 
organization). 

5.  Technological  Complexity  of  the  Applications: 

28X  of  the  applications'  computer  programs  identified 
contain  complex  algorithms  and/or  are  unstructured. 

26X  Of  the  applications  had  several  dependent  applications 
or  a  poor  application  interface.  • 

24X  Of  the  applications  have  users  that  are  not  knowledge- 
able about  the  application's  technology. 

6.  Environment  and  Stability  of  the  Applications: 

27X    The  organization  does  not  use  a  structured  management 

approach . 
23X    Of  the  applications  have  little  or  no  documentation. 


We  identified  each  agency's  and  higher  education  unit's  software 
applications  in  order  of  vulnerability  to  risks.   We  averaged  the 
total  risk  scores  for  each  agency  to  arrive  at  overall  agency  and 
higher  education  ratings.   The  following  section  discusses  the 
results  of  this  analysis  in  relation  to  the  state's  software 
resources. 
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Software  Resources  in  The  state  organizations  responding  to  our  survey  identified  417 

State  Government  major  (or  critical)  software  applications.   Of  these,  273  were 

reported  to  be  essential  to  the  organization's  operation.    In  other 
words,  these  systems  are  necessary  for  the  state  organization  to 
carry  out  its  mission.   These  essential  applications  support 
financial,  management,  statistics,  research,  and  other  functions. 

These  computer  systems  and  the  information  they  contain  are 
vital  resources  for  the  state.   The  systems  process  financial  and 
management  information  and  provide  reports  upon  which  all 
levels  of  government  and  the  private  sector  rely.   They  also 
contribute  a  broad  range  of  information  for  planning,  control 
and  decision  making. 

Most  of  the  273  essential  systems  identified  by  the  agencies  are 
of  average  complexity,  require  some  manual  efforts,  and  are 
written  in  common  programming  languages,  such  as  COBOL 
and/or  BASIC.   The  applications  range  in  age  from  less  than  one 
.       year  to  over  25  years.    About  three-fourths  of  the  essential 
applications  which  received  the  highest  risk  scores  have  not 
been  reviewed.    Many  of  these  are  management  information 
systems  which  support  decision  making  activities. 

The  following  table  reflects  each  agency's  and  higher  education 
unit's  total  risk  scores.   The  agency  risk  score  reflects  an  average 
of  that  agency's  applications  risk  scores.   This  table  suggests  the 
agencies  which  may  be  at  higher  risk  of  operational  failure  if 
they  were  to  lose  the  software  or  hardware  resources  used  in 
processing  their  computerized  data. 
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Table  3 

Tot 

a  I  Risk  Scores 

Agencies  Responding  to  Questionnaire 

state  Agencies 

Zl:     ISSCS 

State  Agencies 

?core 

Legislative  Fiscal  Analyst 

208 

State  Compensation  Mutual  Insurance 

182 

School  for  the  Deaf  and  Blind 

204 

Department  of  Justice 

181 

Board  of  Investments 

201 

Teachers'  Retirement  Div. 

180 

Department  of  Livestock 

201 

Montana  State  Prison 

179 

Legislative  Council 

200 

Department  of  Revenue 

177 

Department  of  Natural  Resources 

196 

State  Lands 

177 

Secretary  of  State 

195 

Office  of  Public  Instruction 

175 

Public  Employees'  Retirement  Div 

191 

Fish.  Wildlife  &  Parks 

173 

Department  of  Health 

190 

Public  Service  Regulation 

172 

Historical  Society 

189 

Board  of  Housing 

171 

Governor's  Office 

187 

Department  of  Transportation 

168 

Social  &  Rehabilitative  Services 

187 

Department  of  Agriculture 

165 

Labor  and  Industry 

187 

Department  of  Commerce 

164 

State  Library 

184 

Judicial  Branch 

164 

State  Auditor 

183 

Department  of  Administration 

161 

Family  Services 

182 

Montana  State  Lottery 

158 

Higher  Education  Units 

Score 

Northern  Montana  College 

203 

Butte  Vo-Tech  Center 

202 

•■ 

Western  Montana  College 

197 

University  of  Montana 

194 

.  .--. 

Missoula  Vo-Tech  Center 

193 

Billings  Vo-Tech  Center 

187 

Helena  Vo-Tech  Center 

185 

^ 

Montana  State  University 

181 

Eastern  Montana  College 

173 

MT  Tech 

165 

.  -  ■  ■ 

Source:  Office  of  the  Legislative  Auditor  ana 

lysis  of  EDP  risk  questiomaire  responses. 

Septeater  1991. 

The  information  contained  in  the  final  table  reflects  the  16 
applications  identified  as  having  the  highest  risk  score.   These 
applications  are  subject  to  the  greatest  risk  based  on  the 
agency's  response  to  the  questionnaire  and  the  23  risk  factors. 
Several  of  these  applications  provide  critical  information  to  the 
operation  of  state  government  and  the  legislative  decision- 
making process. 
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Table  4 

AppI 

ication  Risk  Scores 

AoDlications  at  Highest  Risk 

Agency 

Major  AddI ication 

Score 

Labor  &  Industry 

Workers'  Conp.  Database 

243 

Leg.  Fiscal  Analyst 

Legislative  Budget  Sys. 

233 

Natural  Resources 

Tech.,  Environ.,  and  Econ. 

230 

Governor's  Office 

Executive  Budget  System 

228 

Dept.  of  SRS 

Child  Support  Enforcement 

226 

Leg.  Fiscal  Analyst 

Revenue  Estimation  Sys. 

226 

Natural  Resources 

Energy,  Consimption  &  Cons 

225 

School  for  Deaf  &  Blind 

Student  Accounts 

225 

Labor  &  Industry 

Supplementary  Data  System 

222 

Board  of  Investments 

PC  Quote 

220 

Dept.  of  Health 

Mark  IV;  Water  Qual.  Track 

219 

Dept.  of  SRS 

MIMS 

218 

Dept.  of  Livestock 

Accession  Tracking  System 

218 

„Labor  &  Industry 

Expenditures/Cash  Reports 

217 

Board  of  Investments 

Portfolio  Management  System 

217 

Natural  Resources 

Various  prog.,  as  part  of 

217 

Northern  Mont.  College 

Gift  and  Trust  Accounting 

217 

Labor  &  Industry 

JPTA  EDWAA  Formulas 

216 

Labor  &  Industry 

Workers'  Comp  Caseload  Statistics 

215 

Labor  &  Industry 

JTPA  Target  Groups 

215 

Public  Emp.  Ret.  Div 

PERD  Active  Systems 

215 

Source:    Office  of  the  Legislative  Auditor's  analysis  of  EDP 

risk 

questionnaire 

responses,  Septeaijer  1991. 

Summary 


As  mentioned  in  the  beginning  of  this  chapter,  the  organization 
is  primarily  responsible  for  the  applications  it  uses  in  its  opera- 
tion. We  have  identified  the  most  common  risk  factors  for  state 
applications  as  discussed  on  page  18.  State  organizations  can 
reduce  some  of  the  risks  identified  in  this  report  by  taking  steps 
to  implement  additional  controls  over  their  software  applica- 
tions. 


f    i'-y-i.    ..■•: 


We  provide  the' following  suggestions  as  ways  to  reduce  EDP 
risks.   State  organiiations  coUld: 

1.  Establish  a  management  committee  to  oversee  essential 
applications  and  obtain  periodic  external  reviews  of  all 
essential  applications. 
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2.  Establish  procedures  to  periodically  review  employee  and 
nonemployee  access  to  sensitive  data.   Review  controls  used 
to  limit  access  to  information  (refer  to  section  2-15-114, 
MCA). 

3.  Enforce  the  use  of  written  data  processing  standards, 
policies,  and  procedures  for  all  applications. 

4.  Use  a  structured  system  development  methodology  for  all 
system  development  and  software  maintenance  projects. 
Document  all  new  programming  efforts  and  program 
changes  prior  to  implementation  so  documentation  remains 
current. 

5.  Develop,  document,  and  periodically  test  contingency  plans 
for  all  applications.   Perform  regular  backups  of  all 
programs  and  files.   Physically  secure  backups  away  from 
the  main  operating  area. 

In  addition,  this  office  plans  to  increase  EDP  audit  work  at  the 
state  agencies  and  higher  education  units. 
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